Analysis
-
max time kernel
122s -
max time network
123s -
platform
windows7_x64 -
resource
win7-20231129-en -
resource tags
arch:x64arch:x86image:win7-20231129-enlocale:en-usos:windows7-x64system -
submitted
19-05-2024 22:38
Static task
static1
Behavioral task
behavioral1
Sample
5bd91a97aa2e10adc9c00c400b50158f_JaffaCakes118.exe
Resource
win7-20231129-en
Behavioral task
behavioral2
Sample
5bd91a97aa2e10adc9c00c400b50158f_JaffaCakes118.exe
Resource
win10v2004-20240426-en
General
-
Target
5bd91a97aa2e10adc9c00c400b50158f_JaffaCakes118.exe
-
Size
658KB
-
MD5
5bd91a97aa2e10adc9c00c400b50158f
-
SHA1
16c2d0132914fe69e2d3bee62bd868f256a1db3a
-
SHA256
d358c87cf527ba9f5036d0fa620101d49d526c023187f29a86f3fdb8510263d6
-
SHA512
26c7b202a08e8a18c2a61ee2017b6e696f82649241335863073dd89faa05f31eac187f5d7c540733a6833b7d5ea65ecfbeeb86d9bb1af64a7b9e0a6dbcbbb304
-
SSDEEP
6144:qIO3wz0Co3sLuwhOAJBGiDZdDn6h60rk8/W7Tr7s5A0fgYXkSByW7huU0:XHpZdOU0rk8qhGgYXh70
Malware Config
Extracted
azorult
http://vitani.tk/disk/index.php
Signatures
-
Azorult
An information stealer that was first discovered in 2016, targeting browsing history and passwords.
-
Drops startup file 3 IoCs
Processes:
cmd.exeoffice.exedescription ioc process File created C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\office.exe cmd.exe File opened for modification C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\office.exe cmd.exe File created C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\office.lnk office.exe -
Executes dropped EXE 1 IoCs
Processes:
office.exepid process 2700 office.exe -
Loads dropped DLL 1 IoCs
Processes:
office.exepid process 2700 office.exe -
Obfuscated with Agile.Net obfuscator 1 IoCs
Detects use of the Agile.Net commercial obfuscator, which is capable of entity renaming and control flow obfuscation.
Processes:
resource yara_rule behavioral1/memory/3048-2-0x0000000000250000-0x0000000000270000-memory.dmp agile_net -
Suspicious use of SetThreadContext 1 IoCs
Processes:
office.exedescription pid process target process PID 2700 set thread context of 1268 2700 office.exe RegAsm.exe -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).
-
Suspicious use of AdjustPrivilegeToken 2 IoCs
Processes:
5bd91a97aa2e10adc9c00c400b50158f_JaffaCakes118.exeoffice.exedescription pid process Token: SeDebugPrivilege 3048 5bd91a97aa2e10adc9c00c400b50158f_JaffaCakes118.exe Token: SeDebugPrivilege 2700 office.exe -
Suspicious use of WriteProcessMemory 25 IoCs
Processes:
5bd91a97aa2e10adc9c00c400b50158f_JaffaCakes118.exeexplorer.exeoffice.exedescription pid process target process PID 3048 wrote to memory of 2768 3048 5bd91a97aa2e10adc9c00c400b50158f_JaffaCakes118.exe cmd.exe PID 3048 wrote to memory of 2768 3048 5bd91a97aa2e10adc9c00c400b50158f_JaffaCakes118.exe cmd.exe PID 3048 wrote to memory of 2768 3048 5bd91a97aa2e10adc9c00c400b50158f_JaffaCakes118.exe cmd.exe PID 3048 wrote to memory of 2768 3048 5bd91a97aa2e10adc9c00c400b50158f_JaffaCakes118.exe cmd.exe PID 3048 wrote to memory of 2576 3048 5bd91a97aa2e10adc9c00c400b50158f_JaffaCakes118.exe explorer.exe PID 3048 wrote to memory of 2576 3048 5bd91a97aa2e10adc9c00c400b50158f_JaffaCakes118.exe explorer.exe PID 3048 wrote to memory of 2576 3048 5bd91a97aa2e10adc9c00c400b50158f_JaffaCakes118.exe explorer.exe PID 3048 wrote to memory of 2576 3048 5bd91a97aa2e10adc9c00c400b50158f_JaffaCakes118.exe explorer.exe PID 2656 wrote to memory of 2700 2656 explorer.exe office.exe PID 2656 wrote to memory of 2700 2656 explorer.exe office.exe PID 2656 wrote to memory of 2700 2656 explorer.exe office.exe PID 2656 wrote to memory of 2700 2656 explorer.exe office.exe PID 2700 wrote to memory of 1268 2700 office.exe RegAsm.exe PID 2700 wrote to memory of 1268 2700 office.exe RegAsm.exe PID 2700 wrote to memory of 1268 2700 office.exe RegAsm.exe PID 2700 wrote to memory of 1268 2700 office.exe RegAsm.exe PID 2700 wrote to memory of 1268 2700 office.exe RegAsm.exe PID 2700 wrote to memory of 1268 2700 office.exe RegAsm.exe PID 2700 wrote to memory of 1268 2700 office.exe RegAsm.exe PID 2700 wrote to memory of 1268 2700 office.exe RegAsm.exe PID 2700 wrote to memory of 1268 2700 office.exe RegAsm.exe PID 2700 wrote to memory of 1268 2700 office.exe RegAsm.exe PID 2700 wrote to memory of 1268 2700 office.exe RegAsm.exe PID 2700 wrote to memory of 1268 2700 office.exe RegAsm.exe PID 2700 wrote to memory of 1268 2700 office.exe RegAsm.exe
Processes
-
C:\Users\Admin\AppData\Local\Temp\5bd91a97aa2e10adc9c00c400b50158f_JaffaCakes118.exe"C:\Users\Admin\AppData\Local\Temp\5bd91a97aa2e10adc9c00c400b50158f_JaffaCakes118.exe"1⤵
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
-
C:\Windows\SysWOW64\cmd.exe"C:\Windows\System32\cmd.exe" /c copy "C:\Users\Admin\AppData\Local\Temp\5bd91a97aa2e10adc9c00c400b50158f_JaffaCakes118.exe" "C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\office.exe"2⤵
- Drops startup file
-
C:\Windows\SysWOW64\explorer.exe"C:\Windows\System32\explorer.exe" /c, "C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\office.exe"2⤵
-
C:\Windows\explorer.exeC:\Windows\explorer.exe /factory,{75dff2b7-6936-4c06-a8bb-676a7b00b24b} -Embedding1⤵
- Suspicious use of WriteProcessMemory
-
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\office.exe"C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\office.exe"2⤵
- Drops startup file
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of SetThreadContext
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
-
C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe"C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe"3⤵
Network
MITRE ATT&CK Matrix ATT&CK v13
Replay Monitor
Loading Replay Monitor...
Downloads
-
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\office.exeFilesize
658KB
MD55bd91a97aa2e10adc9c00c400b50158f
SHA116c2d0132914fe69e2d3bee62bd868f256a1db3a
SHA256d358c87cf527ba9f5036d0fa620101d49d526c023187f29a86f3fdb8510263d6
SHA51226c7b202a08e8a18c2a61ee2017b6e696f82649241335863073dd89faa05f31eac187f5d7c540733a6833b7d5ea65ecfbeeb86d9bb1af64a7b9e0a6dbcbbb304
-
memory/1268-14-0x0000000000400000-0x0000000000420000-memory.dmpFilesize
128KB
-
memory/1268-19-0x0000000000400000-0x0000000000420000-memory.dmpFilesize
128KB
-
memory/1268-15-0x0000000000400000-0x0000000000420000-memory.dmpFilesize
128KB
-
memory/1268-16-0x0000000000400000-0x0000000000420000-memory.dmpFilesize
128KB
-
memory/1268-17-0x0000000000400000-0x0000000000420000-memory.dmpFilesize
128KB
-
memory/1268-18-0x0000000000400000-0x0000000000420000-memory.dmpFilesize
128KB
-
memory/1268-13-0x0000000000400000-0x0000000000420000-memory.dmpFilesize
128KB
-
memory/2700-10-0x00000000011D0000-0x000000000127A000-memory.dmpFilesize
680KB
-
memory/3048-0-0x0000000074BFE000-0x0000000074BFF000-memory.dmpFilesize
4KB
-
memory/3048-1-0x0000000000EE0000-0x0000000000F8A000-memory.dmpFilesize
680KB
-
memory/3048-2-0x0000000000250000-0x0000000000270000-memory.dmpFilesize
128KB
-
memory/3048-7-0x0000000074BF0000-0x00000000752DE000-memory.dmpFilesize
6.9MB
-
memory/3048-4-0x0000000074BF0000-0x00000000752DE000-memory.dmpFilesize
6.9MB
-
memory/3048-3-0x0000000074BF0000-0x00000000752DE000-memory.dmpFilesize
6.9MB